Upstream patch only seems to add checks to make sure POST method is used. It
seems the attacker should still be able to create a link that would do POST
using JavaScript to achieve the very same results with little more complications.
(This assumption is only based on reading the patch with no testing against mantis.)

Your assumptions are correct. I am working upstream and I was not satisfied as
well of that solution; can you point me to commonly recognized best practices
against this kind of attacks?
I'm a bit confused because I see this as having a someone convince me doing rm
-rf / is a good thing to do. If I trust him and happen to run it in a root
shell, that does not make a vulnerability in bash (or anything else...)
thanks in advance

I'm working upstream for a solution on the other issues. How urgent is fixing
the first issue should be treated? in other words, is it better to push a
security update now and another when the other fix is ready or everything
together (possibly within an official 1.1.2 release) ?

So far it seems all issues have low or moderate security impact, hence no urgent
priority I believe. Do you know what is the expected release date for 1.1.2?
Probably not worth doing backports if new upstream version is expected any time
soon.